Get token for Microsoft API with JWT

Question

Reading this doc, you have to register your application using Application Registration Portal.
Also, according to this doc, you need Application ID URI to specify the scope parameter and tenant_id for the aud parameter in order to generate the JWT.
The problem is : where do I find this informations?

I tried to use these without success :

scope : api://0adaa814-c4d4-4c09-ae8e-dd0535e9e931/.default
aud : https://login.microsoftonline.com/mldijon.onmicrosoft.com/v2.0/oauth2/token

For more information here the error I get while trying to get a token :

AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.

And here the POST request I make to get it :

POST /common/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: 888bf937-31b4-166b-4d8d-339cd05e21ea

client_id=256e411c-bf42-4634-abaa-a7feafe6698a&scope=api%3A%2F%2F256e411c-bf42-4634-abaa-a7feafe6698a%2F.default&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJ4NXQiOiJKemdVM09ycWlqZVBFVjRGMlZLd3NFYW0rekk9IiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiIyNTZlNDExYy1iZjQyLTQ2MzQtYWJhYS1hN2ZlYWZlNjY5OGEiLCJhdWQiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvbWxkaWpvbi5vbm1pY3Jvc29mdC5jb21cL29hdXRoMlwvdG9rZW4iLCJzdWIiOiIyNTZlNDExYy1iZjQyLTQ2MzQtYWJhYS1hN2ZlYWZlNjY5OGEiLCJleHAiOjE1MTEyNzI0MjYsImlhdCI6MTUxMTI2ODgyNiwibmJmIjoxNTExMjY4ODI2fQ.ZurlKZQ34FNPYLrAujzN6QOkZ9iufJMwVpkMU_gk53UOQqNk-Y_pFOf-OwwGRg9wCnfU46xZt2TiGj_3zLhHxsawg6VeI-tbt62onBiBfJCtTUXpedK23PLS0td7ss2oU7yziRmHDrGe3ZPmpMChnom2iLUNoZiZeAWgzdV47HGid7IJ8Je0fOglsvGvKLjRqC6Y5jJ2kaY6KDd8dhN4UgJjM-HoeGKYtNQ5dz9C8lPDD9_stejfkzDUtvCrFyOY9Cn5TmqZe-LxFW4i7imvriIQHRK1F30j7iWLDoB3aI9WN5Y0dTBl8_8bq83HE9fK5hWFmibt1zY4pclSGm8UNg&grant_type=client_credentials

Answer 1

You should follow the instructions here to get an access token to the Microsoft Graph.

https://developer.microsoft.com/en-us/graph/docs/concepts/auth_overview

// Line breaks for legibility only

POST /common/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20mail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps

Note a few things:

• The aud value is implied to be https://graph.microsoft.com when it is not specified.
• The scope value is a one or more of the permissions defined by the Microsoft Graph.

Now the code above works specifically for User Sign In. There is a section about getting an access token without a user: Get access without a user

This follows this pattern:

// Line breaks are for legibility only.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

Note that this has {tenant} rather than common in the token url. This is because when you are getting a token without a user, you must specify the tenant endpoint you are trying to access. In the case of the user being present, we try to auto-discover the tenant endpoint, which is what the common endpoint does.

Let me know if this solves your problems.